[TriLUG] DNS providers: why bother? was Re: Email Problems

C Peters chuck.peters at gmail.com
Mon Feb 18 19:32:01 EST 2013


On Fri, Feb 15, 2013 at 5:08 PM, Aaron Joyner <aaron at joyner.ws> wrote:

> On Fri, Feb 15, 2013 at 4:11 AM, Greg Cox <glcox at pobox.com> wrote:
> > On Thu, Feb 14, 2013 at 8:51 PM, Aaron Joyner <aaron at joyner.ws> wrote:
> >
> >> * - A surprise awaits any diligent reader who can explain where the
> >> dig +trace command above gets it's list of the root nameserver
> >> addresses from.  :)
> >
> >
> > Tangential: for my home BIND I have a couple of weekly-to-monthly
> > maintenance tasks that have come up and prevented boring cacher dns from
> > being set-and-forget.
> > 1) go 'offsite' and construct a new root hints file from the live data,
> > since they do change now and then*.
>
> Keep your OS up to date, and your package maintainer will effectively
> do that for you:
> asjoyner at bob:~$ dpkg -S /etc/bind/db.root
> bind9: /etc/bind/db.root
>

I also thought the maintainers would update the D root change that
was scheduled for Jan 3rd, but as the date was approaching I hadn't seen
any updates for db.root.  So I checked the upstream Debian and Ubuntu
packages and as it turned out a update was not in the works.   I filed a
bug
report https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1090593 and
emailed the Debian maintainers, and the person who triaged the bug
didn't think it needed updating...  I later followed up followed up with
the Ubuntu Server
Team
https://lists.ubuntu.com/archives/ubuntu-server/2013-January/thread.html#6469

and now it appears Debian and Ubuntu users/admins who update their
systems should have the fix by the when the old D root is scheduled to
be shut off in July.

I have manually updated the bind9 servers I run, in case someone wants
to know how...
# wget http://www.internic.net/domain/named.root
# cat named.root > /etc/bind/db.root
# service bind9 restart

Recent versions of Ubuntu desktops are running dnsmasq as a caching
server under Network Manager.   If any of you are running bind, or other
DNS servers, on your LAN I suggest you turn off the dnsmasq by
commenting it out in /etc/NetworkManager/NetworkManager.conf:
#dns=dnsmasq

I also have run bind on dialup connections, but that was after i was
maintaining a bind8 primary server with a few authoritative zones.

And I did know the answer to your dig question, but Greg Cox beat me to
it...  What was the surprise?

The question I am trying to answer now is how can I handle DNSSEC key
rollovers without manually entering keys using one of those annoying web
interfaces.


Chuck



More information about the TriLUG mailing list